Post navigation

The 21st Century Cures Act, HIPAA, Big Data, and Medical Research

The 21st Century Cures Act is a big deal; the House passed it handily, and we’re still waiting to see what the Senate does. A lot has been written about what it does in terms of changing FDA review processes, and a fair bit about the lovely increase in funding for NIH (see Rachel Sachs’ blog posts here, here, and here). These are tremendously important.

But another provision in the bill has been getting much less play: the way it changes HIPAA to enable large-scale research, which is also a big deal all by itself.

HIPAA (the Health Insurance Portability and Accountability Act of 1996) contains privacy protections relating to Protected Health Information—basically any information generated by or disclosed by or to health insurance companies, doctors, and health clearinghouses (with some limits). The Privacy Rule (HHS’s implementation of HIPAA’s requirements) specifies that personally identifiable health information can only be used or disclosed in a limited set of specific circumstances.

Now, some of these circumstances are pretty broad – they include health care operations, disclosures required by law, public health purposes (mostly giving information to FDA about drug safety), and payment purposes. But there is no general exception for research. You might think that “health care operations” might be interpreted expansively to include research, and indeed it does include quality assessments and the development of clinical guidelines. But the Rule explicitly states that studies don’t count as health care operations if their primary purpose is “generalizable knowledge.” (21 C.F.R. § 164.501). This interaction is far from clear, and that uncertainty itself may inhibit uses that HIPAA doesn’t actually prohibit. (The New York Times recently had a nice piece)

These limits are important in an era of Big Data in medicine. Drug companies, insurers, doctors, and pharmacies all have lots of information about patient health, and there are tremendous possibilities to use that information to find new biological relationships, make predictions, and improve health care in general. (I’ve written about some of that here and continue to think about these issues). But if HIPAA keeps those data holders and data users from conducting these studies—or even if firms think HIPAA keeps them from conducting these studies and therefore hold back on their own—we’re missing out on a lot of potential information. (Anonymization helps cut through the HIPAA knot but comes with its own problems, which I won’t get into here).

The 21st Century Cures Act promises to change this pretty directly, by requiring the Secretary of HHS to “revise or clarify” the Privacy Rule (even Congress isn’t sure what exactly is permitted!) so that research “including studies whose purpose is to obtain generalizable knowledge” falls within the definition of health care operations. (§ 1124). It’s got some other changes as well (discussed well here), including allowing companies to charge for such information (and potentially solving a problem discussed extensively by Barbara Evans in a 2014 Health Matrix article available here (warning: PDF)).

Now, for those worried about HIPAA adequately protecting privacy, these provisions are unlikely to seem like good news. But if you think that HIPAA is preventing a lot of really useful research, these are exciting (and understudied) parts of the 21st Century Cures Act. We’ll see what happens in the Senate!